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DETAILED ACTION 

Response to Amendment 

1 . The amendment filed 03 October 2005 is objected to under 35 U.S.C. 132(a) because it 
introduces new matter into the disclosure. 35 U.S.C. 132(a) states that no amendment shall 
introduce new matter into the disclosure of the invention. The added material which is not 
supported by the original disclosure is as follows: Applicant has not shown support in the 
specification for the added material in the amendment. The specification is not a running 
commentary. 

Applicant is required to cancel the new matter in the reply to this Office Action. 

Claim Rejections - 35 USC §102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

3. Claims 1-15, 19, 20, 22 are rejected under 35 U.S.C. 102(b) as being anticipated by He, 
U.S. Patent No. 5,944,824. Referring to claim 1, He discloses a single sign-on system wherein a 
user obtains access to a plurality of network elements by providing sign-on information (Col. 4, 
lines 5-18). Each network element has an interface to the network through its own terminal 
server (Col. 4, lines 31-42), which meets the limitation of providing an intelligent network 
interface between a network and each device on the network. The security server performs all 
network security functions for the network (Col. 4, lines 19-20) including data encryption for 
authentication information and regular traffic data between a user and the network element after 
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a connection is successfully established (Col. 4, lines 27-30 & Col. 5, lines 27-34), which meets 
the limitation of encrypting and decrypting critical data transmissions over the network using 
said intelligent network interfaces. The security server acts as a key distribution center (Col. 4, 
lines 27-30) and contains an encryption algorithm module that stores the encryption algorithm 
that is used in the encryption procedures (Col. 6, lines 23-28 & Figure 2), which meets the 
limitation of centrally managing keys and algorithms used by said intelligent network interfaces 
for encrypting and decrypting critical data transmissions over the network with a central 
management console. 

Referring to claims 2, 4, 5, He discloses that each network element has an interface to the 
network through its own terminal server (Col. 4, lines 31-42). The secure terminal servers can be 
considered a gateway or bridging device to connect the network elements to the IP network (Col. 
4, lines 41-45), which meets the limitation of each intelligent network interface providing 
protocol translation based on servlets provided by said CMC, CMC dynamically distributing 
proxy servlets to intelligent network interfaces based on distinguished name, said servlets 
selected from the group consisting of SSO servlets, distinguished name firewall servlets, auditing 
servlets, policy enforcement servlets, and web-filtering servlets. 

Referring to claim 3, He discloses that network is an IP (Col. 4, lines 38-40) and 
therefore utilizes TCP/IP protocol. TCP/IP protocol contains the application and protocol layers 
that are also present in ISO 7, which meets the limitation of said protocol translation is selected 
from any two protocols within a single layer of an ISO layer protocol stack. 

Referring to claim 6, He discloses that the security server performs all network security 
functions for the network (Col. 4, lines 19-20) including data encryption for authentication 
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information and regular traffic data between a user and the network element after a connection is 
successfully established (Col. 4, lines 27-30 & Col. 5, lines 27-34), which meets the limitation of 
the security servlets are security patching servlets. 

Referring to claim 1, He discloses a single sign-on system wherein a user obtains access 
to a plurality of network elements by providing sign-on information (Col. 4, lines 5-18). Each 
network element has an interface to the network through its own terminal server (Col. 4, lines 
3 1-42). The security server performs all network security functions for the network (Col. 4, lines 
19-20) including data encryption for authentication information and regular traffic data between 
a user and the network element after a connection is successfully established (Col. 4, lines 27-30 
& Col. 5, lines 27-34), which meets the limitation of a first intelligent network interface 
associated with a first client sending a request to the central management console with the 
identifying information about a connection that the first client wishes to send to a second client, 
said information including protocol, distinguished name, service, and header information, said 
CMC reviewing said connection against a network policy and determining denial or allowance of 
said connection. The security server acts as a key distribution center (Col. 4, lines 27-30) and 
contains an encryption algorithm module that stores the encryption algorithm that is used in the 
encryption procedures (Col. 6, lines 23-28 & Figure 2), which meets the limitation determining 
encryption algorithm, authentication required, keys for the connection, if the connection should 
be redirected to another device, and if the connection needs to be translated, said CMC sending a 
connection determination, including encryption and authentication algorithms, keys, and any 
translation servlets required to said first intelligent network interface. The security server 
establishes mutual authentication between the user and the network element and provides secure 
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communication (Col. 6, lines 1-12), which meets the limitation of said first intelligent network 
interface initiating said connection with a second intelligent network interface associated with 
said second client by sending encrypted connection informaiton, said second intelligent network 
interface querying said CMC with said encrypted connection informaiton received from said first 
intelligent network interface, including a security parameters index for said connection that 
uniquely identifies said connection between said first and second intelligent network interfaces. 

Referring to claim 8, He discloses a single sign-on system wherein obtains access to a 
plurality of network elements by providing sign-on information (Col. 4, lines 5-18), which meets 
the limitation of authentication is a username/password. 

Referring to claim 9, He discloses that the security server contains a plurality of security 
mechanisms (Col. 4, lines 65-67 & Figure 2), which meets the limitation of providing a plurality 
of CMCs on said network in a hierarchical configuration. 

Referring to claims 10, He discloses a single sign-on system wherein a user obtains 
access to a plurality of network elements by providing sign-on information (Col. 4, lines 5-18), 
which meets the limitation of a user providing a distinguished name and authentication to a first 
intelligent network interface attached to the user's host device. Each network element has an 
interface to the network through its own terminal server (Col. 4, lines 3 1-42), which meets the 
limitation of providing an intelligent network interface between a network and each device on 
the network. The security server performs all network security functions for the network (Col. 4, 
lines 19-20), which meets the limitation of providing a central management console on said 
network. The security server verifies the authenticity of the user, and determines the set of 
network elements that the user is authorized to access (Col. 4, lines 24-28 & Col. 6, lines 57-67), 
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which meets the limitation of the first intelligent network interface verifying the user's 
authentication with the CMC such that when said user requests services from a second device, 
the first intelligent network interface requests communication with said second device based on 
distinguished name, a second intelligent network interface associated with said second device 
queries the CMC for permission and user authentication for the second device based on 
distinguished name, the CMC provides user authentication informaiton based on distinguished 
name to said second intelligent network to allow said second intelligent network interface to log 
the user into the second device. 

Referring to claim 1 1, He discloses a single sign-on system wherein a user obtains access 
to a plurality of network elements by providing sign-on information (Col. 4, lines 5-18). Each 
network element has an interface to the network through its own terminal server (Col. 4, lines 
3 1-42), which meets the limitation of a network, an intelligent network interface between each 
host device and said network. Several users are connected to the network (Figure 1), which 
meets the limitation of a plurality of host devices connected to said network. The security server 
performs all network security functions for the network (Col. 4, lines 19-20) including data 
encryption for authentication information and regular traffic data between a user and the network 
element after a connection is successfully established (Col. 4, lines 27-30 & Col. 5, lines 27-34), 
which meets the limitation of means on each intelligent network interface for encrypting and 
decrypting critical data transmissions over the network. The security server acts as a key 
distribution center (Col. 4, lines 27-30) and contains an encryption algorithm module that stores 
the encryption algorithm that is used in the encryption procedures (Col. 6, lines 23-28 & Figure 
2), which meets the limitation of at least one central management console for providing keys and 
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algorithms used by said intelligent network interface for encrypting and decrypting critical data 
transmissions over the network. 

Referring to claims 12, 19, He discloses that the user computer contains a CPU, memory, 
an I/O interface, and that the network has an I/O interface (Figure 1). 

Referring to claims 13, 14, 20, He discloses that each network element has an interface to 
the network through its own terminal server (Col. 4, lines 3 1-42), which meets the limitation of 
each intelligent network interface is implemented in a form of standalone devices. 

Referring to claim 15, He discloses that the network interface is a serial port (Col. 4, lines 

35-37). 

Referring to claim 22, He discloses a single sign-on system wherein a user obtains access 
to a plurality of network elements by providing sign-on information (Col. 4, lines 5-18), which 
meets the limitation of a set of dynamically distributed code fragments stored on said CMC for 
distribution to said intelligent network interfaces, and means on each said intelligent network 
interface for using said code fragments to provide functions selected of single sign-on. 

Claim Rejections - 35 USC §103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. The factual inquiries set forth in Graham v, John Deere Co., 383 U.S. 1, 148 USPQ 459 
(1966), that are applied for establishing a background for determining obviousness under 35 
U.S.C. 103(a) are summarized as follows: 
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1 . Determining the scope and contents of the prior art. 

2. Ascertaining the differences between the prior art and the claims at issue. 

3. Resolving the level of ordinary skill in the pertinent art. 

4. Considering objective evidence present in the application indicating obviousness 
or nonobviousness. 

6. Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over He, U.S. Patent 
No. 5,944,824, in view of Liu, U.S. Patent No. 6,171,136. Referring to claim 16, He discloses 
that the network interface is a RS232 serial port (Col. 4, lines 35-37). It would have been obvious 
to one of ordinary skill in the art at the time the invention was made to use a USB serial port 
interface in He in order to provide a serial port interface that provides for higher data 
transmission speed than the earlier RS232 serial interface as taught by Liu. 

7. Claim 17 is rejected under 35 U.S.C. 103(a) as being unpatentable over He, U.S. Patent 
No. 5,944,824. Referring to claim 17, He discloses that the network interface is a RS232 serial 
port (Col. 4, lines 35-37), however, it would have been obvious to one of ordinary skill in the art 
at the time the invention was made in order for the network interface to communicate multiple 
items of information at one moment, which would reduce operation time. 

8. Claim 18 is rejected under 35 U.S.C. 103(a) as being unpatentable over He, U.S. Patent 
No. 5,944,824, in view of Kitazaki, U.S. patent No. 6,172,936. Referring to claim 17, He 
discloses a single sign-on system wherein a user obtains access to a plurality of network 
elements by providing sign-on information (Col. 4, lines 5-18) from a user computer (Figure 2). 
He does not disclose storing the operating system of the user computer on a flash memory. 
Kitazaki discloses storing the operating system on a flash memory (Col. 1, line 60). It would 
have been obvious to one of ordinary skill in the art at the time the invention was made to store 
the operating system of the user computer on a flash memory in order to obviate the need to 



Application/Control Number: 10/068,776 Page 9 

Art Unit: 2132 

transfer the operating system to main memory from the hard disk, which significantly reduces 
the time required to boot up the computer (Col. 1, lines 61-64). 

9. Claim 21 is rejected under 35 U.S.C. 103(a) as being unpatentable over He, U.S. Patent 
No. 5,944,824, in view of Walter, U.S. Patent No. 6,151,677. Referring to claim 21, He discloses 
that the security server performs all network security functions for the network (Col. 4, lines 19- 
20) including data encryption for authentication information and regular traffic data between a 
user and the network element after a connection is successfully established (Col. 4, lines 27-30 & 
Col. 5, lines 27-34). He does not disclose the encryptor is located on an FPGA. Walter discloses 
encryption capabilities on an FPGA (Col. 7, lines 29-32). It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to use an FPGA for encryption 
purposes in order to provide for inherent tamper protection of the encryption information (Col. 4, 
lines 55-63). 

Conclusion 

10. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Benjamin E. Lanier whose telephone number is 571-272-3805. 
The examiner can normally be reached on M-Th 7:30am-5 :00pm, F 7:30am-4pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




Benjamin E. Lanier 



GILBERTO BARRON ) 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 




